Description
An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.
Published: 2026-07-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits an authenticated user to modify the company ID parameter in a POST request, bypassing the application’s validation of the tenant context. This enables the attacker to access, view and potentially alter sensitive customer data from other companies within the same subdomain environment. The flaw is identified as CWE‑639, reflecting a failure to properly verify authorisation.

Affected Systems

The affected product is Adiss Biloop. No specific version information is provided in the report; any deployed instance of the application is potentially vulnerable until patched.

Risk and Exploitability

With a CVSS score of 9.3 the risk is severe. The EPSS score is < 1%, indicating a very low but non‑zero exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to be an authenticated user; from that state the attacker can manipulate a single parameter in the backend API, bypassing cross‑tenant checks. The exploit is straightforward against the web application and does not require privileged external access.

Generated by OpenCVE AI on July 10, 2026 at 07:15 UTC.

Remediation

Vendor Solution

The vulnerability has now been fixed, so we recommend updating to the latest available version.


OpenCVE Recommended Actions

  • Update Biloop to the latest released version that contains the fix release.
  • Verify that all instances enforce tenant‑ID validation against the authenticated session.
  • Disable or restrict access to the backend endpoint that accepts company IDs until the patch is applied.

Generated by OpenCVE AI on July 10, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Adiss
Adiss biloop
Vendors & Products Adiss
Adiss biloop

Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description An authenticated user could manipulate a company ID parameter in a POST request to the backend to gain unauthorised access to other companies hosted within the same subdomain environment. The application does not adequately verify whether the requested company ID belongs to the authenticated user’s session, resulting in a cross-tenant authorisation bypass. If this vulnerability is successfully exploited, it allows unauthorised access to sensitive customer information, including billing data, and may enable the unauthorised modification of third-party data.
Title Incorrect authorisation in Adiss’s Biloop
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-07-06T12:50:57.194Z

Reserved: 2026-06-19T08:38:05.732Z

Link: CVE-2026-12686

cve-icon Vulnrichment

Updated: 2026-07-06T12:50:53.831Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T07:30:12Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key